coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e780af76d24777dea3df009894b71fa411c2545d
ops-warden/SCOPE.md
tegwick e0adc10896 feat(WP-0008): reassessment, task-status canon, archive hygiene 
- Post-WP-0007 reassessment and SCOPE/README updates
- AGENTS.md + workplan-convention task status canon migration
- examples/warden.production.example.yaml for production OpenBao
- Archive WP-0004 through WP-0007 to workplans/archived/260617-*
- WP-0008 T1/T3/T4 done; T2/T5 wait on operator/flex-auth
2026-06-17 23:51:12 +02:00

7.1 KiB
Raw Blame History

SCOPE

This file helps you quickly understand what this repository is about, when it is relevant, and when it is not. It is intentionally lightweight and may be incomplete. Aspirational direction lives in INTENT.md.

One-liner

Operational access steward for the NetKingdom security model — issues short-lived SSH certificates for adm/agt/atm actors, documents how to obtain other credential types from the right platform subsystems, and keeps ops access guidance aligned with NetKingdom canon.

Core Idea

Today: implements the SSH certificate lane from wiki/AccessManagementDirective.md §§15 — CA signing, actor inventory, TTL policy, cert-side scorecard, and the cert_command interface for ops-bridge.

Direction (INTENT): become the custodian-domain desk that understands NetKingdom identity, authorization, secrets, and SSH lanes — routing dev workers to key-cape, flex-auth, OpenBao, ops-bridge, and railiance components instead of centralizing all secrets here.

Signing backends: local (ssh-keygen, labs) and vault (OpenBao or other Vault-compatible SSH secrets engine API, production).

In Scope

Implemented (SSH lane)

  • Local CA backend (ssh-keygen -s)
  • OpenBao / Vault-compatible SSH engine backend
  • Actor identity registry (inventory.yaml)
  • cert_command: warden sign <actor> --pubkey <path> → cert on stdout
  • TTL enforcement per ActorType (adm 48 h, agt 24 h, atm 8 h)
  • warden status, cleanup, scorecard, signatures log
  • warden issue and ops-ssh-wrapper
  • Runbooks for OpenBao config and Inter-Hub bootstrap SSH envelope

Stewardship (documentation and alignment)

  • NetKingdom security routing guidance — which subsystem owns which credential type
  • Wiki and config references aligned with OpenBao-first platform standard
  • Capability registry entry for SSH certificate issuance
  • Keeping ops access patterns consistent with net-kingdom platform architecture

Stewardship (shipped WP-0006)

  • wiki/CredentialRouting.md — credential type → subsystem routing
  • wiki/NetKingdomSecurityMap.md — NetKingdom component literacy
  • wiki/ActorInventoryPatterns.md + examples/inventory.seed.yaml
  • wiki/OpenBaoSshEngineChecklist.md — production SSH signing verify
  • wiki/PolicyGatedSigning.md — flex-auth integration (opt-in, WP-0007)

Shipped (WARDEN-WP-0007)

  • Opt-in flex-auth policy gate before warden sign / warden issue (policy.enabled)
  • policy_decision_id in signatures.log when gate allows
  • Production OpenBao health evidence (history/2026-06-17-openbao-production-verify.md)

Active (WARDEN-WP-0008)

  • End-to-end production OpenBao warden sign verification on Railiance (T2 — operator)
  • examples/warden.production.example.yaml — production config template
  • NK-WP-0009 SSH tutorial joint with net-kingdom (parallel)

Out of Scope

  • Issuing non-SSH secrets (API keys, DB creds, S3 STS, Inter-Hub keys) → OpenBao with flex-auth policy where required; ops-warden documents paths only
  • Identity / OIDC / MFA → key-cape, Keycloak
  • Authorization policy decisions → flex-auth
  • Tunnel lifecycle → ops-bridge
  • Host principal deployment → railiance-infra
  • OpenBao / Vault cluster deployment → railiance-platform
  • Human admin SSH key generation (self-service ssh-keygen)
  • Session recording, SIEM, SSO / Teleport at scale

Relevant When

  • Issuing or refreshing an SSH cert for adm/agt/atm
  • A dev worker needs to know where to get credentials in the NetKingdom stack
  • ops-bridge needs a cert_command for a tunnel
  • Adding actors to the principals inventory
  • Inter-Hub or bootstrap tasks need a short-lived agent SSH envelope
  • Checking cert-side compliance (scorecard)

Not Relevant When

  • Storing or vending API keys or runtime secrets (→ OpenBao)
  • Policy decisions on resource access (→ flex-auth)
  • Managing tunnels without SSH cert issuance (→ ops-bridge)
  • Static-key-only legacy access (ops-bridge static key mode)

Current State

  • SSH CLI: shipped v0.1.0 (WARDEN-WP-00010003)
  • Docs: OpenBao-first config (WARDEN-WP-0005), Inter-Hub bootstrap runbook
  • Registry: capability.security.ssh-certificate-issuance published
  • INTENT: operational access steward (2026-06-17)
  • Stewardship docs: WP-0006 complete — routing, inventory patterns, OpenBao checklist
  • Policy gate: WP-0007 complete — opt-in flex-auth pre-sign
  • Active workplan: WP-0008 — production SSH path verification and stewardship closeout
  • Gap reassessment: history/2026-06-17-post-wp0007-reassessment.md

How It Fits (NetKingdom)

key-cape / Keycloak     identity claims
        → flex-auth     authorization decisions
        → OpenBao       runtime secrets & dynamic credentials
        → ops-warden    SSH certs + operational access guidance
        → ops-bridge    tunnel transport (cert_command consumer)
        → railiance-*   deployment and host enforcement

Upstream: CA key (local file or OpenBao SSH engine). Actor inventory in Git or operator config.

Downstream: ops-bridge (primary), kaizen agents, CI automations, human operators.

Terminology

  • ActorType: adm | agt | atm
  • cert_command: shell command returning a cert on stdout
  • inventory.yaml: actor → principals + TTL registry
  • LocalCA / VaultCA: signing backends (backend: local | vault)

Related Repositories

Repo Relationship
net-kingdom Canonical security architecture; ops-warden aligns to it
ops-bridge Primary cert_command consumer
railiance-infra Host-side SSH principals and hardening
railiance-platform OpenBao deployment and platform secrets
flex-auth Authorization; opt-in pre-sign policy gate (policy.enabled)
key-cape Identity / IAM Profile lightweight mode
state-hub Workstream registry

Provided Capabilities

type: security
title: SSH certificate issuance
description: Issues short-lived CA-signed SSH certificates for adm/agt/atm actors via a
  pluggable cert_command interface; documents NetKingdom operational access routing;
  supports local CA and OpenBao/Vault-compatible SSH engine backends.
keywords: [ssh, certificate, ca, credential, warden, ops-warden, pki, openbao, vault, netkingdom]

Getting Oriented

Read first Purpose
INTENT.md Why ops-warden exists and where it is going
SCOPE.md What is implemented today (this file)
wiki/CredentialRouting.md Which subsystem for each credential need
wiki/NetKingdomSecurityMap.md Platform security component map
history/2026-06-17-post-wp0007-reassessment.md Latest INTENT ↔ SCOPE assessment
examples/warden.production.example.yaml Production warden.yaml template
wiki/AccessManagementDirective.md SSH actor model
wiki/OpsWardenConfig.md warden.yaml and OpenBao
wiki/CertCommandInterface.md cert_command contract
wiki/InterHubBootstrapAccessLane.md Bootstrap SSH envelope
net-kingdom/docs/platform-identity-security-architecture.md Platform security canon
Reference in New Issue View Git Blame Copy Permalink